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Opening Question: 



How do you find your target’s activity 
traffic ? 
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Opening Question: 



What if you don’t know your targets E-mail 
address? Or you’re trying to find new ones they 
may be using? 



What if the traffic you’re interested in doesn’t 
even contain an E-mail address? 

What do you do then? 
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Opening Question: 



You may try to look for keywords or patterns 
help find your target. 



But how do we scan for keywords in the large 
volumes of data we see in DNI collection? 
Won’t we get too many false hits? 
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Context Sensitive Scanning 

Context sensitive scanning gives analysts a 
powerful way to surgically target the traffic 
you’re interested in, by only applying the 
keywords in the manner in which the analyst 
intended them to be applied 
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For example, think about these scenarios: 



• “I want to look for documents from Iran that mention a banned item” 

• “I want to look for people doing web searches on Jihad from Kabul” 

| “I want to look for people using Mojahedeen Secrets encryption from 
an IPhone” 

• '‘I want to look for documents containing this regular expression 

• “I want to look for E-mails that mention words from various categories 
of interest to CP” 

How would you go about targeting those in passive DNI? 
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Fingerprints are an extremely flexible way to target DNI traffic 
without the foreknowledge of a strong selector 



They take advantage of X- KEYS CORE’S context sensitive 
scanning engine that has over 70 unique contexts that can be 
targeted. 



An XI<S Fingerprint is simply a meta-data tag that gets applied 
to a session when a certain criteria is met 



Think of fingerprints as analyst-defined “attributes” of a session 
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There are currently almost 10,000 AppIDs and 
Fingerprints in X-KEYSCORE - the full list is available 
from the NSA XKS Home Page 



Odds are there may already be a fingerprint for the 
traffic you’re interested in. 

If not you can easily create your own! 
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I’m an analyst in CT - I want to find anytime 
Mojahadeen Secrets 2 is seen in DNI Traffic. 



I’m an analyst in CP - I want to find E-mails or 
Documents relating to the Iranian Nuclear 
Procurement network 



I’m an analyst in NDIST/NTOC - I want to find traffic 
from a known botnet 
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Use Fingerprints! 




to p ic/w m d/i r a n/i r is l/ed i 1/c hat_bo dy 
to p ic/w m d/i ra n/i r is l/ed i 1/docu me nt_bod y 
to p ic/w m d/i ra n/i r is l/ed i 1/e m a i l_b ody 
to p ic/w m d/i ra n/i r is l/ed i 1/fi len a m e 
topic/wmd/iran/ir is l/ed i l/ur l_path 
to p ic/w m d/i ra n/i r is l/ed i 2 
topic/wmd/iran/ir is l/ed i3 



Field] Builder 



AppID (-:-[FrDoe[i J p[i J DG-itsS 

mojahe 

encryption/mojaheden2 
. e ncr y pt io n/rno jah ede n2/en cede dhe ade r 
encryption/mojahederi2/hIdden 
e ncr y pt io n/rno jah ede n2/h id den 2 
e ncr y pt io n/mo jah ede n2/h id den 44 
e ncr y pt io n/mo jah ede n2/secu re _fi le _en c ede d 
e ncr y pt io n/mo jah ede n2/secu re fi le 



Fes Id Bolder 



Ap p IO ( -i- F i rimtsi 



betnet/bldckl 



V 






bo trie t/b lacke ner gy b et/co rri rn and /d i e 



botnet/blackenergybcit/command/flood 
bo tne t/b lacke ner gy b et/co m m and / ic mp 
bo tne t/b lacke ner gy b et/co tn m and /step 
bo tne t/b lacke ner gy b ot/co m m and /sy n 
botnet/blackenergybet/command/wait 
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Who is writing fingerprints? 




@ Ext 
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■ F77 
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□ FFIV 
m FTV 
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□ 175 

□ MISCELLANEOUS 
B R1 

■ R1, R4 

□ R1JDACCS 
M R22 

□ R4 

□ S 

□ S2B 

□ S2C 

□ S2D 

□ S2E 

□ S2G 

□ S2H 

□ S2I 
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I1S32 

□ S33 
IlSSG 

— i QT 
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Getting Started 



What are the basics of XKS Fingerprints? 

Simple XKS fingerprints are keyword or regular 
expression based signatures that are evaluated 
across the data collected and processed by X- 
KEYSCORE 
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Getting Started 
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Boolean Equations 

Basic fingerprints can also use Boolean 
equations: 



appid('voip/sip/IMS’, 6.0, wireshark='sip') = 

( via: sip’ or V: sip ) and cseq:’ and { 
p-access-network-info:’ or 
p-called-party-id:’ or 
p-charging-vector:' or 
p-charging-vector-addresses:' or 
p-media-authorization:' or 
s e c ur ity-ver i f y : or 
proxy-authorization:’ and 'scscf or 
path:’ and pcscf or 



path:’ and 'scscf 



); 
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Regular Expressions 
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And Regular Expressions 

fingerprint ( ‘encryption / mo j ahe d een2 ’) = 

/(?:Begin|End).ASRAR.El.Mojahedeen.v2\..{o,5}Encrypted.Message/ or 

/Mojahedeen.v2\..{o,5}Encrypted. Message/ or 

/(?:Begin| End).Al-Eldilaas.Network.ASRAR.El.Moujahedeen.V2/ or 

* Regular expressions must include a fixed "anchor” meeting the 
minimum keyword length. 



Bad: / [A-Z] {3}- [0-9] {3,5}/ 
OK: /ABC-[o- 9 ]{ 3 , 5 }/ 
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Binary Patterns 




And Binary Patterns 

fingerprint('botnet/IO/XXPWoo23') = 

$http and 

'\x53\x53\x48\xoo\xoo\xoo\xoo\xoo'cand 

'\xoo\xoo\xoo\xoo\xo3\xoo\x53\x4D\x52'c; 



fingerprint ( 'b o t net /IO /XXPW o 023' ) = 
$http and 

hex('535348oooooooooo ( ) and 
hex(‘oooooooo 300534 D 52 ( ); 
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fingerprint ( T b ot net / IO /XXP W 0023' ) = 

pos('\x53\x53\x48\xoo\xoo\xoo\xoo\xoo) == 4 

and pos('\xoo\xoo\xoo\xoo\xo3\xoo\xg3\x4D\x52 r ) == 24; 



fingerprint ( r b ot net / IO /XXP W 0023' ) = 

$http and 

(pos('\x53\x53\x48\xoo\xoo\xoo\xoo\xoo') >= 144 and 
pos(’\x53\x53\x48\xoo\xoo\xoo\xoo\xoo') <= 184) and 

(pos( , \xoo\xoo\xoo\xoo\xo3\xoo\x53\x4D\x52') >= 164 and 
pos(’\xoo\xoo\xoo\xoo\xo3\xoo\x53\x4D\x52 T ) <= 204); 
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For example, take the first scenario: 

want to look for documents from Iran that mention a banned item 



Just using keywords with Boolean equations, how could we 
restrict the term to only a document body and only coming 
from Iran? 
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X-KEYSCORE s context sensitive scanning engine 
allows you to explicitly say where you want a term to 
hit. 



As an early example, the Tech Strings in Documents 
capability allowed analysts to restrict terms to only 
Email, Chat or Documents Bodies 



The full XKS Context Sensitive Scanning engine 
allows for over 70 unique contexts to be used as part of 
an fingerprint 
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Context Sensitive Scanning 



For example, take the first scenario: 

want to look for documents from Iran that mention a banned item 



Using the XKS context for Country Code (based on NKB 
information) and the XKS context for Document Bodies, 
this easily becomes: 



fingerprint(‘demo/scenarioi’) = 

cc(‘ir ) and doc_body(‘banned item’) 
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Context Sensitive Scanning 



As another example, let’s say we want to tag all Iphone usage 
Using the XKS context for User Agent this easily becomes 

fingerprint(‘demo/scenario2 ) - 
user_agent(‘iphone’); 
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USSID18/HRA Considerations 



XKS Fingerprints may not be USSID18 or HRA 
compliant if they are queried on by themselves 

For example, we may want to fingerprint the use of 
mobile web devices like the IPhone, so that attribute 
could be used as part of a more complex query. 



But querying for the IPhone fingerprint itself would 
be a USSID18 and HRA violation. 
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USSID18/HRA Considerations 



But if you want to look for an IPhone user from 
an Iranian Proxy accessing his Mail.ru account: 



IP Address: 





Either ^ 



AppID 

( + Fingerprints) [fuNtext] : 



mm 6 ml deg 



AppID f Fn g ,_ q eg p Q 3 n q-h ' 1 sj 



Foeldl BoJDdfer 




AppID 


br o wser fee 1 Iphone/iphone 




’V 


Add to Field 


Close 



mail/webmail/mailru 






rrid i l/web ma i l/rridi Ir u 






rnail/webma il/mai Iru/attach ment 






rna i l/web ma il/mai Ir u/post 
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Context Sensitive Scanning 



What contexts are available for use in XKS Fingerprints? 



TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 



TOP SECRET //CO M INT//REL TO USA, AUS, CAN, GBR, NZL 








H!™P Activity Contexts (1 of 1) 



html_title(expr) 


The normalized extracted text web page titles 
html_title( how to” and ’bomb' ) 


http_ho st ( expr) 


The “Host:” name given in the http header. 
http_host(' yahoo, comf 


http_url(expr) 


Every URL from HTTP GET and POST commands. 
htip_ur 1 ( Vma i 1/inb ox' 1 ae tio n= d e 1 e te 


http_url_args(expr) 


All arguments given as part of a URL (ie. all text following the 
r in a URL string) 

http_url( action=delete J ) 


http_referer(expr) 


The “Referer:” URL given in the HTTP header 
Jittp_refererf http ://badwebsite/cp?action=show 


http_language(expr) 


The normalized two letter iso-6393 language code as inferred 
from any http and or html header info 

http_language( ta or 'de 
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HI Activity Contexts (2 Iff 2} 



http_cookie(expr) 


The “Cookie:” field given in the http header, 
httpcooki e(/P R EF=\d\d[a-z]/) 


http_server(expr) 


The “Server:” type name in the http header. 
http_server(‘GWS/2.1’ or 'Apache’) 


http_user_agent(expr) 


The “User-Agent:” field given in the http header. 
http_user_agent(/MozillaV [45]/ or ‘Chrome’) 


web_search(expr) 


The normalized extracted text from web searches 
websearchfricin or plague ; 


x_forwarded_for(expr) 


The X- Forwarded For IP address from the HTTP 
Header 

xfo r wa rd edfo r ( h . 2 . 3 . 4 ’ ) 



TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 



TOP SECRET //CO M INT//REL TO USA, AUS, CAN, GBR, NZL 









Protocol Contexts 1 o 2 



ip(expr) 


The source or destination IP address of the session 

ipf 127.0.0.1’) 


from_ip(expr) 


The source IP address of the session 
from_ip(‘ 127.0.0.1’) 


to_ip(expr) 


liveiy URL from HTTP GET and POST commands. 
to_ip(T 27.0.0.1’) 


ip_subnet(expr) 


IP subnet in CIDR notation. 
ip_subnet(‘7.2 1 1 . 1 43 . 1 48/24’) 


port(expr) 


The source or destination TCP or UDP port number. 
pori(’22’) 


from_port(expr) 


The source TCP or UDP port number. 
from_port( ! 22) 


to_port(expr) 


The destination TCP or UDP port number, 
to port (’22’) 
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Protocol Contexts 1 o 2 



cc(expr) 


The country (either to OR from) based on IP address 
cc(‘if or pk 7 ) 


from_cc(expr) 


The source country based on IP address 
from__cc(‘ir’ or pk 


to_cc(expr) 


The destination country based on IP address 
to_cc(1r’ or pk 


protocol(expr) 


The textual form of the IP next protocol. 
protocol^TCP’) 


next_protocol(expr) 


The textual form of the IP next protocol. 
ip_next_protocol( 7 1 T) 


mac_address(expr) 


The MAC address of the target network device. 
mac_address( 00:1 6:3E:3F:BD:EF’) 
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email_body(expr) 


The UTF-8 normalized text of all email bodies, 
email_body ‘how to and ‘build’ and bomb or weapon’)) 


chat_body(expr) 


The UTF-8 normalized text of all chat bodies. 
chaUbodyfhow to and build and ('bomb or weapon )) 


documentbody(expr) 


The UTF-8 normalized text of the Office document. - 

Office documents include (but are not limited to) Microsoft Office, Open Office, 
Google Docs and Spreadsheets. 

document_body(‘how to and build and bomb ’ or weapon )) 


calendar_body(expr) 


The UTF-8 normalized text of all calendars. An example is 
Google Calendar. 

cal en d ar body wedd i ng 


archive_files(expr) 


Matches a list of files from within an archive. For example is 
a ZIP file is transmitted, all names of files within are passed to 
this context. 

archive fil£s(‘bad.dir or ‘virus.doc’) 


http_post_body(expr) 


The UTF-8 normalized text HTTP url-encoded POSTs. 
http_post_bodyi action-send and badguy(ojyahoo 
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Aliases 



doc_email_body(expr) 


This covers the emailbody and documentbody contexts 

docemai l_body(‘how to’ and build and bomb or 
‘weapon e 


communication_body(expr) 


This covers the email body, document body and 
chat_body contexts 

chat_body(‘how to’ and ‘build’ and (‘bomb’ or ‘weapon’)) 
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Context sensitivity 



Why use context-sensitive scanning? 



More intuitive - you can say what you mean 

More accurate - if 'maps.google.com' is mentioned in a 
blog post, you don't want to try processing it as a Google 
Maps session 

Better performance for XKEYSCORE 
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• “I want to look for people doing web searches on Jihad from 
Kabul” 



Using the from_city() and web_search() context this 
becomes 



fingerprint(‘demo/scenario3') = 

from_city(‘kabur) and web_search(‘jihad’); 
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E 11 m pies 



“I want to look for people using Mojahedeen Secrets encryption 
from an IPhone” 



You can even use existing fingerprints in a fingerprint 
definition! So this becomes: 

fingerprint( t demo/scenario4 , ) = 

fingerprint ( encryption / moj ahdeen2' and 
fingerprint('browser/cellphone/iphone) 
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E 11 m pies 



• “I want to look for documents containing this regular expression 

Using doc_body this becomes: 



fingerprint(‘demo/scenario5’) = 

doc_body ( /blah | a-z] {3- 5 }something/ ) 
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Example 4 



• “I want to look for E-mails that mention words from various 
categories of interest to CP” 



You can use multiple variables in an equation like this 

topic( wmd/acw/govtorgs r ) = 

email_body($acwitems and Sacwpositions and 
($acwcountries or $acwbrokers or $acwports)); 
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$acwi terns = 'machine gun' or grenade' or 'AK 47' 
$acwpositions = 'minister of defence' or 'defense minister' 
$a cwcountries = 'Somalia' or 'liberia' or 'sudan' 

Sacwbro kers = 'south africa' or Serbia' or 'bulgaria' 
Sacwports = 'rangood' or 'albasra' or ‘dar es salam' 

topic( wmd/acw/govtorgs T ) = 

email_body($acwitems and Sacwpositions and 
(Sacwcountries or Sacwlbroicers or Sacwports)); 
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Advanced Code-Based Fingerprints 



What happens when there are no keywords or regular 
expressions that will help identify the traffic of interest 
to you? 



As enough example, many of the CT Targets are now 
smart enough to not leave the Mojahedeen Secrets 
header in the E-mails they send. How can we detect 
that the E-mail (which looks like junk) is in fact 
Mojahedeen Secrets encrypted text 

A C++ code fingerprint can help evaluate that data 
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Code Based Fingerprint 



, Lift iHjU 4 -ILjlii 





Mar 2007 ; , •-•-■i-l rdi L 1 

1,199 SiLiod 



la way tSWSiib 

I 'H j ,L II til 



.. .J ja fti 



IjT^I >^i 



r/RgTzTJATRhN2E1Zjg1 0 WQy N WRj Mm E£ZT dl N zZmZDh 1 0 DU :< ZWZh MD Q1 Mj YwMjViZGUO 
ZG YwMjd k M mJ mNT A4ZD Y2 Yi kO M GU2 N G N i Yj g6 MzNjZT c6MThj Y2 YIZmYGMT gzZDIkYjhjMTE 
xO G Yz Y] cl ZD dl MD Ax NTQ zZmvi N DVI Y2 Yy M G JJ Y] U2 O D kyY] d m Y JFJ YJ Az M WM5ZD Q20 WFI Mz g 
4NThhM2l1Mjc50DkzZGNhOGRmNWJmNjVIZjQCMjMxNDMdMDIyO TglMmRjMGJiNGNkYTN 
kYTG4MzMxZjRihl2FilHjl3MjE1NGI3MTA3ZDG)4NWRmYzMyOTUzZjZIMjg3l\ljQ1 0GQ4MTA3N 
TU2N2ZkH2ZjYzUzYzYyN1jFIODAwN2VkM2U6MTZiNDY2MmM2ZTV IYjG2Yzl0OGQ!2ODUxNW 
VkMjl2MWViNDAyOGIOMThkMTdhNTY1 YzlxMDgyOGZIM2lwZWZj MDgwM2U4MzNINDg1 OD 
UxZT cdODcl MTY2M2IONjU5ZjBhZjVhNjkOOTIhNGExOThmYWVI NmFIZjlyNmMwZDA3MDM0 
Nj JkZD hh Mml4Zm R h Yj c3 N mZI N D Fk O D ky Yj Bh Yj Y3 M DQ 1 Q G VI Mj d hYmU wZTIy NG I > Ym QyZDI z 
Zj I i M2 E5ZGQ6 N mN hZD Q v. OTM4NTIO Mj c3M zB 10 WE wZWE 1 Nj k3 Yj g x Y2ViNTQ 1 0 WU Ln o iA/D 
ULIjTBuDJqneOGMRHesirePTnZj02yqbmKbFklPjwMhe7FUhFAOw74S+*PokOREo&XhdP+y9 

i 

GuBjuYTvrlE0>:Gx20sSfNS5kfRXXH1DaTnb7DyuFe9r6mMIQG 

eG EOS RU Id USYV up zO hh g d4D oF 
5BbFR3OYgO&+pUxDYgmEQr/RA+fYi47tuHQMh+dynZqQspNdmRUmkjEpFqFQ3sPHSri0injqo 
*1Gs1B+xn52XE2q/WdnLK4XjWnl/i6VNAjv2nsL+s2TG1IHbgocmpQoKy0BCSXPcRW+2J*kV37 
kl Xy 0 NZk9 YH+ DV3 aWYP Xt+y m+ wGOX NT q PH I U 1 JWAZql2 N Kj'c S Xt9D MtCtc bS cz Rj6 G9I X v J9 
Eny7tO6KFd9BGio9M+3QuUkZHLEmJiAv0vRGRJXJ3whBqk6zMHQLFoWJcX9umW5mRtgCjzS 
P WG Izz F CGt/B4 SK4 PxTS2ZCQ B2 k WD8 VMy NfFrI sT G4X Ue s g x47N dE x ML8 pj/fZwK N K+EfK I P 
==Z1 ov/29A9N3uLIXBX62LhOyyiiqfJ2FNR7AIONSEjwKoggVmkJ<DiuGaQi+TurpxBgat1g 



o-isaJI Hjql 



F^nvll . I' 



■■ami qtiiv/ .o.icr, ' MM I 



ILll 



'ji.l u; I nil , lij-y.i 



■-dl , 



d JJLjjJI 



. L'L- y I ao'lj 



qj L-q ■, J L_i -,1. 



, |'l ■ . 1 1 F.'.'i 



\ I Tj- fL II . I, "?i 



LliJ ivljiuJ Pj-IiIliju 






O J-LwJI i 



qjLjdi 



I "-'--I' '.l-L.II 



gp -k J'-7--oJ I o S i L-CoJ I 



: -_ii| I.O-J I coJI 



g^Ldj o-SiUo-dl 



,1 cgi7n.ll 



Ljjjdb V'_Z< J'jJI 
UlUdl i :■ b-.-Oil I .L.f.jii 
■^j -3 fcjd oUlLUI 









Displaying 1 iten _ s 






Hdden fields 
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Advanced Code-Based Fingerprints 



! i nge r p r i r.t ; 1 e nc r y p t i on/ mo j al:e de n2 / h i dds n4 4 1 i = 

$ mo i _c ip he r_f ir s t_ te s t 
: c — I- pyrrar;r.nra : { { 

megl = / ( ( ;a-sA-S0-9\+V] i 6 } [ DHLPTXbf jnEva3 7\ / ] [4-3\+V] ) AT ( [ ABEF I J HN2F.UYY Z cdghk 1 ] [hi j kltmrxysO 12 3 45] [MNQYZ] [ DGTUjrf ] ; {12} )/c; 
meg2 - / ( ( ;a-sA-Z0-9\+\ /] {6} [ DIILPTUof jmivsO 7\ / ] [4-3\+V] ) AH ( [ ADEF I JHNSF.UVYZcdchkl] [hi j fclLmrxyzO 12 ; 45] [HNOYZ] [EGTUjnzZ] | {12} )/c; 
> > 

ms.in : { { 

std: : string msg; 
if Cited! 

msg = msgl [ 0] ; 
else if (ni3g2 ) 
msg = msg2 [ 0] ; 
else 



return false; 



r %02x%D2x^02x%C2x" r 



char bv.f ; 16] ; 
char chunkl[16] ; 
char chunkZ [16] ; 
char ch.un.k3 [16] ; 
if ( rrue ) ■! 

snpr intf (chunk 1, 16, "%02x%D2x^02x%C2x" r 

msg [10] £ Oxff, 

mog[ll] £ OK±f, 
msg [12] £ Oxll, 

msg L u j £ uxfl); 

snpr intf (chunk2, 16, "%02x%D2x^02x%C2x" r 
msg [141 £ Oxff, 

rn:=;g[1.S] £ flxff, 

ms g [ 1 6] £ Ok ± f , 

ins y [17] £ Ox If); 

snpr intt (cnunkJ, 16, rr %U2x% J2x=IU2x%L2x rr r 
msg [18] £ Oxff, 
msg [19] £ Oxff, 
rnsg[2fl] £ flxff, 
msg [2 1] £ Oxff ) ; 

i f ( ! ( ( s t ir emp ( c hui'.k 1 , chunt2 ) - - 0 ) | | 

(stremp (chunks, chunks; == 0) || 

(stremp (chunk 1, chunks ; == 0)i){ 
std: : string msg_decoded = xks : :toa£e64dec imsg) ; 
for(sise_t 1 = 7; i < msg_decoded.siEe () ; i++) I 
if (msg deeoded[i] < '0' || (msg decoded! i] > 

return false; 



FEeDa] SrjiDdQG' 



-1- F i n g o jjpiuntpl 



encrypt ion j rmoiehedenC/ h idden-M 



Add lo Field 



r %U2X% J2X=IU2X%L2X rr r 



£ £ msg decoded [i] < 1 a ) | | msg decoded! i; 



snpr intf (bur , 16, ' r %02x%03x%02x%02x ,T , 
msg_decoded[ 1] £ Oxff, 
msg_decoded[ 2] £ Oxff, 

msg dccodcd[ 3] s Oxff, 
msg Jecuded[4] £ Oxl£| ; 
std::string keyid hex = buf; 
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Advanced Code-Based Fingerprints 



As another example, some of the activity from the 
Conficker botnet simply can’t be detected with 
keywords or regular expressions 



In cases like this, C++ code can be used inside a 
fingerprint to test the data further 
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Advanced 



Code-Based 



imcremind ( ' ticrr.ei./ con;:ic:ksr_p2p_udp_tiai:.a , 7.D) = 
sudp ana nor 'no a p 00' ana not. ' im ap oo 
: c++{{ 

if n a=:=iif-inf=rinn : (’ OTJ T T ") Fl'JTT AT ,/ / E E T, "0 ITS ^ P F'JF.V 

if HOT teleasskle to t h i r :l- part ie s 

u i nt S t key 8 ; 

uintS t TtcyD; 

uintS t pltt type; 

u i n:. 0_t djecrypted_bvtes [ 1] ; 



Fingerprints 



ulji_-32_l l uui.ii.y_liaa]i - 0; 
ulnr32_c K_lildl:; 
uinr32_c k_ice; 

1]1 n - :-i :: h FitnrFn hashP^L^J = {11,11,1 ,11}; 

i] i n 3 ?. r. mi n pkt. ' p n ; 
u i nr 3 2 t may p kt ien; 
uinr32 t t; 
pactct t pkt; 

Trhile(pkt - get packet ( i i 
1 



Fisld 





i^ippCD 1 (BfiimeiiEli i n tgjf 


botnet /c o n Pi cker_p2p jjdpjdet a 


’V' 


Add to Field 


C 1 ose 



ir (nkc.size < 10) 
redarn raise; 



kpyR = (i]int.F_r) i pkt. . rifl-.a [ ”1] <k1 | i i pkt. . rifl-.a [ 7] >3-7) £ 1 ) ) ; 

key 9 = (uintE t) ike yS 2 | ( (pkt . dat a [ rj \ >> 5 i £l) ) ; 

if (((IteyD A pkt . data | 9] i SOwfc) !~ 0>:S0| 
ret atm fa lee; f / IJot Confickcr, no abort 

-± ( ( keyO A pkt.data'O] i £ Dx02 ) 

is 1st; // Li- ;ul set 111 ITDP puul^Ls 

ir (pkt. slze<23) 
continue; 

if ((key9 A pkt . dat a ; 9] i ! =DkSO) 
continue; 

pkt type ~ (kcyS / pkt . dat a [9] ) > > 3 ; 

_I(jk._Lypte fi C> 10) // sternal, y 
c u :i - i nuit ; 

iz ( ! OK:t_type fi uxua; ; ff nat a data packer 
ennti nup; 



in in pkt len = 22; 

maK pkt len = (uint32 ti pkt. site; 

K hiefk - uint02 t | pkt . data[ 7] ) | uint02 t (pkt . data [ G] )<< L 3a | uint02 t i pkt . data [ 0] ) «Ct | u:nt02 t ( pkt . data [ ^] ) ; 

E_1ujj - ulnL32_L \ pkt . da-a[ 3] ) <<2^ u | uijiL-3 2_L (pkt . data [ 2 ] ) « 1 5 a | ulnL32_L i pkt . da-a[ 1] ) «d c. | u._jiL 3 ( pkt . data [ 0] ) ; 

runnina_nasi‘j = o; 

fnr( - . = ”l; t.-c'npv pkt. 'pti: -.-M-) 

if ( t>=8) // decrypt data 

{ 
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Meta-data Extracting Fingerprints 

What happens when you find data and want some 
pieces of meta-data extracted? 

XKS Fingerprints can be used to extract meta-data to 
select XKS database tables. 

Or if no existing database is applicable, you can define 
your own database schema for the meta-data 
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As a real life example, think of all of various Free File 
Upload (FFU) sites of interest 

When a user uploads a document they get a response 
page that looks like this: 
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'ree File Upload Sites 



Welcome to Z SHARE 



With zSHARE you can upload files, images, videos, audio and flash for free. Simply use the upload form below and start sharing! You 
can also use zSHARE as your personal file storage: backup your data and protect your files. First Time? Read our FAQ ! 



* Upload now 

* Login 

* Create Free Account 

* Premium 

* FAQ 



File Uploaded 



The file khi pics zip was successfully uploaded! (4.04MB). You're now ready to share it with unlimited people or keep it as a backup 



D o wnlo ad Link 



http i/www. zshare . ne hdowdo ad/6 37 1 9 9 j'7 Ob 174 c 9fi'' 



Link for forums: 
Direct Link: 

D elete Link: 



[LJ RL= http ://www. z s h are . n et?d own I □ ad/6 3 7 1 9 9 5 7 Ob 1 7 A 



http ://www. z s h are . n et/d own I □ ad/E 37199570b174 c9f/ 



http ://www. z s h are . n et/d elete.html 76371 995 7-7 c8 8 9 3 b 1 1 



E-mail Me This Info 

To receive all the info on the file you uploaded, such as removal instructions and download link, enter your e-mail address on the 
field b elow: 

Your e-mail: 
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Look at all the great information on that page: 

File Uploaded 

The fil as successfully uploaded! (4.04MB). You're now ready to share it with unlimited people or keep it as a backup 
D ownl o a d Link 

Link for forums: 

Direct Link: 

Delete Link: 



[ U RL = http : //www .zshe.re.ne t/d ow nload/6371 99570bl 74 



http://www. i =- hi are.n et/do wnlo ad/G 371 39 5 7 Obi 74c9f/ 
^tt p z s h ar e . n et/ delete, ht rn I ? 6 3 719357-7 c8 8 9 3 b 1 1 
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How can we quickly get that information extracted as Meta- data 
and be agile enough to respond to each FFU site which may have 
its own format 



XKS “V4” Fingerprints allow you to use the XKS Fingerprint 
Language to extract meta-data into the XKS database 



Fingerprints are deployed within an hour of being accepted 
meaning you no longer need to wait for all 130+ XKS sites to be 
upgraded to have the latest and greatest capabilities. 
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,p p id C 1 f i le t ransf e r / web / ss har e_net/ up 1 q ad/ response 1 , 5.0) = 
http_title [ 1 zSHARE 1 ) and 1 sshare.net/delete.htinl 1 

: C++ 

extractors : { { 

wf t_f i 1 e_name = /The\ sf ile\ s-cstrongxf ont\ scolor=\ pp #333333\ pp > [ [ ^-c] (1,300)-) \ s</j 
wft._delet.eurl = / sshare . net\ /delete . html\ ? [ [0-9] +) - [ [0-9a-zA-Z] { 32 } ) \ "/ ; 

wf t_upload_id = /<font CQlor=\ "#666666\ "><a href = \ "http : \ f\ /ww?) . sshare\ . net\ / [ JV ^ /] +\ / [ [0-9] +) [0-Sa-f ] { 8} / ; 
wft_url = /<font color = \ pp #666666\ pp xa href^ pp (http : \ A / wnrw\ . sshare\ . net\ / [ A \ /] +\ / [ A \ /] +) / ; 
wft up loader user name = /<small> Logged in as: ( [ A <] +) <\ /small>/ ; 

} I _ 
main = I { 

if ( wft_delete_ur 1 ) { 

D B [ " web_f i le_t r ans f er " ] [ " wf tup lo ad_i d " ] = wf t_up lo ad_i d [ 0 ] ; 

DB [ "web_f ile_transf er "] [ "wf t_delete pp ] = wf t_delete_ur 1 [0] + pp -"+wf t_delete_ur 1 [ 1] ; 

DB [ "web_fi le_t rans fer"] [ "wf t_site_name ,F ] = "sshare . net 
DB [ n web_f ile_transf er ”] [” transfer _type fP ] = "upload"; 

if f wf t_f i le_name ) { 

D B [ pp ueb_f i 1 e_t r ansf e r pp ] [ rp uf t_f i 1 ename " ] = wf t_f i 1 e_name [ 0] j 

} 

if ^ t. tLEt 1 ) { 

DB[ rr web_f i 1 e_t ransf er rr ] [ rr wft_ur l rr ] = wft_url[0] ; 

} 

if ( wf t_up 1 o a de r _us ern ame ) ( 

DB [ "web file transf er rr ] [ rr up loader username rr ] = wft up loader username [ 0] ; 

} 

DB . apply ( ) ; 

} else i 

1 □ gge r . deb ug ( ” f i 1 et r ans f e r / web/ sshare . ne t / up lo ad/ r esp ons e : Host r ege xs didn't mat c h FF ) ; 

* 

return true; 

} } ; 
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Meta-data Extracting Fingerprints 



All you do is tell XKS when to start extracting meta-data 



appid[ 1 f i let ransfer/ web/ zshare_net/ up load/ response 1 , 5.0) = 

http_title ( 1 zSHARE 1 ) and 1 sshare . net/delete . htrnl 1 

: C++ 
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Meta-data Extracting Fingerprints 



Use Regular Expressions to tell it what to extract: 



extractors : { { 

xjft. file name = /The\ sf ile\ s<st.rong><f ont\ sco lor = \ "#333333 \"> [ [ A <] { 1, 300} ) \ s</ ; 
trf t_ dele te_url = / zshare . net\ /delete . html\ ? [ [0-9] +) - [ [0-9a-zA-Z] { 32 } ] \ ri 7 ; 

tf t up load id = /<font color=\ n §56€ 6 "><a href =\ "http : \ /\ /ww\ , sshare\ . net\ / [ A \ / ] +\ / ( [ 0-9] +) [0-9a-f] {S}/; 

xjft url = / <± □ nt. color=\ 666 S6\ "><a href = \ 11 ( http : \ /utotA ■ sshare\ . net^ /[ /] / [ A \ /] +) / ; 

trf t up 1 o ade r user name = / < srnal 1 > L o rj ge d in as : [ [ A < ] + ) < \ / sma 1 !>/ ; 
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Meta-data Extracting Fingerprints 



Finally tell it which database tables you want to store 
the information: 



min = { { 

if (uf t_delete_ur 1 ] { 

DB [ pr web_f ile_transf er rr ] [ pp uf t_upload_id"] = wf t_upload_id[0] ; 

DB [ pp Direb_f i le_transf er pp ] [ rr wf. t_de lete "] - wf t_de let.e_ur 1 [ □] + pp - "H-wf t_de let.e_url [ 1] 

DB [ pp- CTefci_f iletransf er rp ] [ "wf tsitename"] = ,p z share - net"; 

DB[ pp TTeb file transfer pp ] [ "transfer type"] = "upload"; 



File URL 



Filename 



liti|>://www.zsliiai!ejiet/clowi^l!i5acl.'637 ! l i & i &57ilh174c i E!f 



khi |>i<\.zi|> 



Transfer Type Upload ID 


Delete ID 


Site Name 




'.ipl&i'icl $3719957 


7*SS93I>1 Iif941 79771 dt a3e7fQ75$a2$ 


zshare.ii&t 
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Meta-data Extracting Fingerprints 

What if the meta-data you want to extract doesn’t fit 
nicely into any of the existing XKS meta-data tables? 



Classic A-M 

=3 ASF and WMV Metadata 



=3 Alert 



B Q) Classic N-Z 

33 Network Logs 
PDF Metadata 



BlackBerry 
CNE 

Call Logs 

=3 Category DNI 
Cellular DNI 
^3 Cisco Passwords 
Document Metadata 
=3 Document Tagging 
Email Addresses 
iE| Extracted Files 
Full Log DNI 
^ HTTP Activity 

IRC Cafe Geolocation 
Logins and Passwords 



PILBEAM 

Phone Number Extractor 



=3 RBGAN 



REGISTRY 

RTP 

Radius Logs 
RealMedia Metadata 
SIP 

TOR Log 

Tech Strings in Documents 

User Activity 

WLAN 

Web Proxy 

WIreshark 
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Meta-data Extracting Fingerprints 



Define your own with the “Microplugin” query forms 

icroplugins 
j'"lE1 Beb Flood 

z-: Cone Blindmarksmen Beacon 
z^l Ccne Byzantine Raptor T rojanS 
z~l Ccne T raffic 
z- Cone Victim Id 
^-1 Encryption Steg JSTEG 
^-] Exit Metadata 
z-; I pvo Addresses 
z-] Mailer Accounts 
^1 Ms2 Extract Key ids 
Munged T raffic 
^~1 NetStrings 

QUANTUMBOT Table 
z-^ Saudi Mfa Visa 
z- LI dp XxpjQOIQ Lzo N etuuo ikn a m e 
z- VPN External IP Addresses 
Vpn Users 

3- Web Geo Cell Towers 

z-/ Web Geo Results 

z-| Web Geo Wifi T ewers 

^-1_sub Dictionary Code Snippet 

i ur acL-rtc i f/^unninj i/ikcl i u u^a, aua, <jBR, NZL 





TOP SECRET //CO M INT//REL TO USA, AUS, CAN, GBR, NZL 



• ' 




■ ~ 

-■ in 1 



Meta-data Extracting Fingerprints 



Example MS2 KeyIDs 

Search: Ms2 Extract Keyids 



Query Name: 



Justification: 



Recent Justifi cations 



Additional Justification: 
Miranda Number: 



Datetime: 1 1 Day ^ Start: 



2010 - 05-03 



o 







00:00 


a, 

"V 







Stop : 



2010 - 05-04 



□ 



23:59 







Usernames realm?-: 

IP Address: 
IP Address; 
Port: 
Port: 







From 






To zl 






From T _l 






To zl 



I re 5 s Field Builder ! 



[re ; Field Builder ! 
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Meta-data Extracting Fingerprints 



Search: Ccne Byzantine Raptor TrojanS 



Query Name: 



Justification: 



Additional Justification: 



F merit n u stif i ca t i □ n 5 



Miranda Number: 



Datetime: 1 1 Day T 1 Start; 



20 1 0 - 05-03 



□ 



00 ; 00 



Stop ; 



2010 - 05 - 0 + 



□ 



23:59 












brt_de crypt: 






brt_ho stria m e : 






brt_i pad dress ; 






b rtj eri gth ; 






brt_05 version : 






b rt_p a ck e t_ty p e : 






b rt_5 e q u e n ce_ri u m ; 






brt_u serna me : 







Usernames realm >- : 




IP Address: 


| From T TIP Address Field Builder! 




IP Address: 


|Td t | TIP Address Field Builder! 
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New XKS Fingerprint GUI allows analysts to directly 
test, submit and manage fingerprints through the web 



ftlawi’-siljion lenu Fingerprint Validation Submittal 



dtj Fingerprints 


Stecci B 


Step #2 


Step #3 


<E# Help 


s-| Validate ! Submit 


c . r Compile 

Sm <tv? 


7 Test Against Session Data 


trjj Save 


s-| Approved 
















1 A ' 


Pending 


uiooai varianue Lusoara coons 




aJ 


=-] My Signatures 


Type o r 


paste any global VARIABLE DECLARATIONS here. 
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Type or paste a FINGERPRINT definition here. 



Press Compile when done editing 
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New Fingerprint GUI 

NewXKS Fingerprint GUI allows analysts to directly 
test, submit and manage fingerprints through the web 
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C.obal Variable Declarations 



Soest = 'bomb 7 or r missle 1 or T ied'; 



Signature 

fingerprint ( T test/ test 1 T ) = email body ( $te st ) r 
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Results 



congratulations, your finge-prin: '/'/as successfully compiled! 

Now use the Test button to run it against the cesignated session data. 



Questions? 
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Syntax Ryles 



The definition of the fingerprint will look like this: 

fingerprint( test/blah/something’, owner = ) - 

Note the single quotes needed for the fingerprint name 
and owner 
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Syntax Rules 



Secondly every fingerprint definition must be 
completed by a semi-colon. 



fingerprint( test/blah/something’, owner = 

‘badguy ' ; 
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Syntax Ryles 



Variables also must be completed by a semi 
$badguy - 

bomb ' or ‘gun’ or weapon 1 ; 
fingerprint(‘test/blah/something’, owner = 

$badguy; 



TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 





Syntax Ryles 



Definitions and Variables can span multiple lines 

$badguy - 
bomb or 
‘gun’ or 
weapon ; 

fingerprint(‘test/blah/something’, owner = 

$badguy; 
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